topic SSH to gateways with ansible in Ansible

SSH to gateways with ansible

Cesc — Fri, 17 Dec 2021 14:57:11 GMT

Hello everyone,

I can connect via ssh with the command ansible without playbook:

$ ansible all -i inventory -a "clish -c 'show version all'"
[WARNING]: Platform linux on host ckp-lab is using the discovered Python interpreter at /usr/bin/python, but future installation of another Python interpreter could change
this. See https://docs.ansible.com/ansible/2.9/reference_appendices/interpreter_discovery.html for more information.
ckp-lab | CHANGED | rc=0 >>
Product version Check Point Gaia R80.40
OS build 294
OS kernel version 3.10.0-957.21.3cpx86_64
OS edition 64-bit

But when I try with ansible-playbook does not work:

$ ansible-playbook -i inventory ssh-test.yml

PLAY [My playbook] **************************************************************************************************************************************************************

TASK [Gathering Facts] **********************************************************************************************************************************************************
fatal: [ckp-lab]: FAILED! => {"ansible_facts": {}, "changed": false, "failed_modules": {"setup": {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python"}, "exception": "Traceback (most recent call last):\r\n File \"/home/test/.ansible/tmp/ansible-tmp-1639752859.0839593-81645-52571446332867/AnsiballZ_setup.py\", line 102, in <module>\r\n _ansiballz_main()\r\n File \"/home/test/.ansible/tmp/ansible-tmp-1639752859.0839593-81645-52571446332867/AnsiballZ_setup.py\", line 94, in _ansiballz_main\r\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n File \"/home/test/.ansible/tmp/ansible-tmp-1639752859.0839593-81645-52571446332867/AnsiballZ_setup.py\", line 40, in invoke_module\r\n runpy.run_module(mod_name='ansible.modules.system.setup', init_globals=None, run_name='__main__', alter_sys=True)\r\n File \"/opt/CPsuite-R80.40/fw1/Python/lib/python2.7/runpy.py\", line 188, in run_module\r\n fname, loader, pkg_name)\r\n File \"/opt/CPsuite-R80.40/fw1/Python/lib/python2.7/runpy.py\", line 82, in _run_module_code\r\n mod_name, mod_fname, mod_loader, pkg_name)\r\n File \"/opt/CPsuite-R80.40/fw1/Python/lib/python2.7/runpy.py\", line 72, in _run_code\r\n exec code in run_globals\r\n File \"/tmp/ansible_setup_payload_LAX3Ae/ansible_setup_payload.zip/ansible/modules/system/setup.py\", line 136, in <module>\r\n File \"/tmp/ansible_setup_payload_LAX3Ae/ansible_setup_payload.zip/ansible/module_utils/facts/__init__.py\", line 34, in <module>\r\n File \"/tmp/ansible_setup_payload_LAX3Ae/ansible_setup_payload.zip/ansible/module_utils/facts/compat.py\", line 33, in <module>\r\n File \"/tmp/ansible_setup_payload_LAX3Ae/ansible_setup_payload.zip/ansible/module_utils/facts/default_collectors.py\", line 51, in <module>\r\n File \"/tmp/ansible_setup_payload_LAX3Ae/ansible_setup_payload.zip/ansible/module_utils/facts/system/service_mgr.py\", line 35, in <module>\r\nImportError: No module named distutils.version\r\n", "failed": true, "module_stderr": "Shared connection to 192.168.251.220 closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n File \"/home/test/.ansible/tmp/ansible-tmp-1639752859.0839593-81645-52571446332867/AnsiballZ_setup.py\", line 102, in <module>\r\n _ansiballz_main()\r\n File \"/home/test/.ansible/tmp/ansible-tmp-1639752859.0839593-81645-52571446332867/AnsiballZ_setup.py\", line 94, in _ansiballz_main\r\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n File \"/home/test/.ansible/tmp/ansible-tmp-1639752859.0839593-81645-52571446332867/AnsiballZ_setup.py\", line 40, in invoke_module\r\n runpy.run_module(mod_name='ansible.modules.system.setup', init_globals=None, run_name='__main__', alter_sys=True)\r\n File \"/opt/CPsuite-R80.40/fw1/Python/lib/python2.7/runpy.py\", line 188, in run_module\r\n fname, loader, pkg_name)\r\n File \"/opt/CPsuite-R80.40/fw1/Python/lib/python2.7/runpy.py\", line 82, in _run_module_code\r\n mod_name, mod_fname, mod_loader, pkg_name)\r\n File \"/opt/CPsuite-R80.40/fw1/Python/lib/python2.7/runpy.py\", line 72, in _run_code\r\n exec code in run_globals\r\n File \"/tmp/ansible_setup_payload_LAX3Ae/ansible_setup_payload.zip/ansible/modules/system/setup.py\", line 136, in <module>\r\n File \"/tmp/ansible_setup_payload_LAX3Ae/ansible_setup_payload.zip/ansible/module_utils/facts/__init__.py\", line 34, in <module>\r\n File \"/tmp/ansible_setup_payload_LAX3Ae/ansible_setup_payload.zip/ansible/module_utils/facts/compat.py\", line 33, in <module>\r\n File \"/tmp/ansible_setup_payload_LAX3Ae/ansible_setup_payload.zip/ansible/module_utils/facts/default_collectors.py\", line 51, in <module>\r\n File \"/tmp/ansible_setup_payload_LAX3Ae/ansible_setup_payload.zip/ansible/module_utils/facts/system/service_mgr.py\", line 35, in <module>\r\nImportError: No module named distutils.version\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1, "warnings": ["Platform linux on host ckp-lab is using the discovered Python interpreter at /usr/bin/python, but future installation of another Python interpreter could change this. See https://docs.ansible.com/ansible/2.9/reference_appendices/interpreter_discovery.html for more information."]}}, "msg": "The following modules failed to execute: setup\n"}

PLAY RECAP **********************************************************************************************************************************************************************
ckp-lab : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0

playbook:

more ssh-test.yml
---
- name: My playbook
hosts: all
tasks:
- name: show version
command: "clish -c 'show version all'"

Do someone knows what I am doing wrong?

Thank you in advance! 🙂

Re: SSH to gateways with ansible

StuartGreen — Tue, 21 Dec 2021 10:17:17 GMT

Hi Cesc,

That's a really long and messy error message but basically it means that the host you're connecting to can't run the Ansible Python module that gets transferred and executed automatically. You should be fine with the CP Ansible modules which use the HTTP API, raw and possibly shell commands with Ansible, but the Python setup on Gaia is hardened so doesn't include the necessary modules for Ansible.

Re: SSH to gateways with ansible

Art_Zalenekas — Tue, 21 Dec 2021 21:14:55 GMT

There are a couple of issues: One, you are running with gather_facts = True, which is default state in Ansible for Playbooks. you ran ad-hoc command, which executes just the command/module you ask for. CHKP GW does not have default gathering stats over SSH, but we do have a module for that which we execute over HTTPAPI Plugin. Solution: Either add gather_facts: false to the playbook, or disable in the ansible.cfg file globally (/etc/ansible/ansible.cfg) or locally to either the project (playbook location) or your home directory (~). Under section [defaults] add gathering = explicit . Look at the Ansible variables precedence on their Docs page. In general, don't collect facts of systems, unless you need to use those somewhere for whatever (conditional) reason.
Second, our CHKP Gaia does not carry distutils python package. That is why it fails execution. Ansible needs it to package up and execute gathering facts on the host.
When you are working with SSH sessions to manage hosts, use pipelining = True in your ansible config (look at the explanation in the main ansible.cfg file). For SSH connections, always use pipelining = True unless you have issues with compatibility. That helps with a lot quicker execution of tasks over SSH.

Here is my .ansible.cfg in my project directory:

[defaults] inventory = inventory.ini gathering = explicit interpreter_python = /usr/bin/python3 callback_whitelist = timer [ssh_connection] pipelining = True host_key_checking = False control_path_dir = ~/.ansible/cp

Here is my inventory:

[chkp] chkp-gw ansbile_host=10.10.12.1 ansible_user=admin

Here is my playbook:

--- - name: test ssh to chkp group hosts: chkp vars_prompt: - name: ansible_password prompt: Enter password unsafe: yes private: yes tasks: - name: show version command: clish -c 'show version all' register: result - debug: var=result.stdout_lines ...

Run playbook:
$ ansible-playbook test.yml

Now, you can use the prompt in the playbook to force and ask for the password for the ansible_password variable (you don't want to hard-code that in the inventory or the playbook), you can skip that and call the playbook with --ask-pass, or best is to copy your SSH public key to the managed host with $ ssh-copy-id admin@10.10.12.1, and not use any password at all, which is highly recommended. You can of course encrypt with Ansible Vault a variable file, but that is another topic (Google for that). If you go the PKI route, don't forget to add ansible_ssh_private_key_file=<path_to_private_key> in either the playbook or directly into the inventory file for that host or group of hosts.

That should help. Have fun on the automation side!
PS: Look at using the HTTPAPI Plugin for managing CHKP GWs (Gaia or Passthrough over MGMT) and MGMT servers.

Kind regards,
Arturas Zalenekas